|
»
»
« Return to Thread: Fwd: Critical phpwiki c99shell exploit
Fwd: Critical phpwiki c99shell exploit
by Reini Urban
::
Rate this Message:
This bugtraq answer shows a link to a screen shot of the c99 shell.
http://www.honeynet.org/papers/webapp/
So php3, php4 and php5 should be blocked now.
But until further analysis I would completely disable the UpLoad plugin for
unsecure users.
---------- Forwarded message ----------
From: Jamie Riden <jamie.riden@...>
Date: 12.04.2007 18:59
Subject: Re: Critical phpwiki c99shell exploit
To: bugtraq@..., "rurban@..." <rurban@...>
On 12 Apr 2007 13:14:14 -0000, rurban@... <rurban@...> wrote:
> Via the Phpwiki 1.3.x UpLoad feature some hackers from russia uploaded a php3 or php4 file,
> install a backdoor at port 8081 and have access to your whole disc and overtake the server.
>
> A url in the file is http://ccteam.ru/releases/c99shell
>
> The uploaded file has a php, php3 or php4 extension and looks like a gif to the mime magic.
> So apache usually accepts it.
>
> To fix this phpwiki issue at first move the lib/plugin/UpLoad.php file out of this directory.
>
> You can fix it by adding those two lines to your list of disallowed extensions:
> php3
> php4
> Currently only "php" is disallowed.
Some people also map .php5 - google for "AddType
application/x-httpd-php5 .php5" and "AddType application/x-httpd-php
.php5" - and goodness knows what else.
This would be much better re-written to use known safe extensions, or
the admin needs to carefully compare the disallowed list against
his/her httpd config.
(If there's anyone who doesn't know c99shell, it's sort of a helper
app for doing things on servers - the kind of things you probably
don't want done - and is often used in conjunction with remote file
include attacks to execute shell commands. There's a screenshot in
Appendix B at http://www.honeynet.org/papers/webapp/ . "Defacing Tool
2.0 by r3v3ng4ns" and r57shell are similar utilities you may have come
across.)
cheers,
Jamie
PS. I can't see where it checks if the file is a GIF, but it's not
hard to fool some programs, and I don't like the idea of guessing file
types based on contents. It's not safe.
== foo.php ==
GIF89a!^@"^@
<?php
echo "foo";
?>
===========
$ file foo.php
foo.php: GIF image data, version 89a, 33 x 34
The output of visiting http://localhost/foo.php under apache is
'GIF89a!�"� foo'.
--
Jamie Riden / jamesr@... / jamie@...
UK Honeynet Project: http://www.ukhoneynet.org/
--
Reini Urban
http://phpwiki.org/ http://murbreak.at/
http://spacemovie.mur.at/ http://helsinki.at/
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Phpwiki-talk mailing list
Phpwiki-talk@...
https://lists.sourceforge.net/lists/listinfo/phpwiki-talk
http://www.honeynet.org/papers/webapp/
So php3, php4 and php5 should be blocked now.
But until further analysis I would completely disable the UpLoad plugin for
unsecure users.
---------- Forwarded message ----------
From: Jamie Riden <jamie.riden@...>
Date: 12.04.2007 18:59
Subject: Re: Critical phpwiki c99shell exploit
To: bugtraq@..., "rurban@..." <rurban@...>
On 12 Apr 2007 13:14:14 -0000, rurban@... <rurban@...> wrote:
> Via the Phpwiki 1.3.x UpLoad feature some hackers from russia uploaded a php3 or php4 file,
> install a backdoor at port 8081 and have access to your whole disc and overtake the server.
>
> A url in the file is http://ccteam.ru/releases/c99shell
>
> The uploaded file has a php, php3 or php4 extension and looks like a gif to the mime magic.
> So apache usually accepts it.
>
> To fix this phpwiki issue at first move the lib/plugin/UpLoad.php file out of this directory.
>
> You can fix it by adding those two lines to your list of disallowed extensions:
> php3
> php4
> Currently only "php" is disallowed.
Some people also map .php5 - google for "AddType
application/x-httpd-php5 .php5" and "AddType application/x-httpd-php
.php5" - and goodness knows what else.
This would be much better re-written to use known safe extensions, or
the admin needs to carefully compare the disallowed list against
his/her httpd config.
(If there's anyone who doesn't know c99shell, it's sort of a helper
app for doing things on servers - the kind of things you probably
don't want done - and is often used in conjunction with remote file
include attacks to execute shell commands. There's a screenshot in
Appendix B at http://www.honeynet.org/papers/webapp/ . "Defacing Tool
2.0 by r3v3ng4ns" and r57shell are similar utilities you may have come
across.)
cheers,
Jamie
PS. I can't see where it checks if the file is a GIF, but it's not
hard to fool some programs, and I don't like the idea of guessing file
types based on contents. It's not safe.
== foo.php ==
GIF89a!^@"^@
<?php
echo "foo";
?>
===========
$ file foo.php
foo.php: GIF image data, version 89a, 33 x 34
The output of visiting http://localhost/foo.php under apache is
'GIF89a!�"� foo'.
--
Jamie Riden / jamesr@... / jamie@...
UK Honeynet Project: http://www.ukhoneynet.org/
--
Reini Urban
http://phpwiki.org/ http://murbreak.at/
http://spacemovie.mur.at/ http://helsinki.at/
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Phpwiki-talk mailing list
Phpwiki-talk@...
https://lists.sourceforge.net/lists/listinfo/phpwiki-talk
« Return to Thread: Fwd: Critical phpwiki c99shell exploit
| Free embeddable forum powered by Nabble | Forum Help |
